CastleCops® dowloader.trojan

Need help? Click here to register for free! Absolutely zero advertisements on this site!

	Donation/Premium

	Donations. Become Premium Today!

	Security Central

	· Home · PIRT/Fried Phish · MIRT · SIRT · Deutsch · Wiki · Newsletter · O16/ActiveX · CLSID List · Contest2007 · Downloads · Feedback (send) · Forums · HijackThis · Hijacktrend · LSPs · My Downloads · O18 · O20 · O21 · O22 · O23 · O9 · Premium · Private Messages · Proxomitron · Reviews · Search · StartupList · Stories Archive · Submit News · WsIRT · Your Account · Acceptable Use Policy

Forum FAQ

Usergroups

Profile

Select FavForums

dowloader.trojan

This topic is locked you cannot edit posts or make replies

All -> FavForums -> Trend Micro HijackThis Logs

[del.icio.us!] [digg it!] [reddit!]

View previous topic :: View next topic

Author

Message

slope

Cadet
Cadet

Joined: Nov 15, 2003
Posts: 4
Location: USA

Posted: Sat Nov 15, 2003 7:23 pm Post subject: dowloader.trojan

My Norton Anti-Virus has just announced that it found the downloader.trojan virus attached to a file called susp.cab in my Local Settings/temp directory. Norton can't repair, quarantine or delete it. I tried to follow Symantec's instructions for removing the virus but didn't see anything in the registry that referred to downloader.trojan. There was however, a reference to susp.exe which is similar to the name of the file that is supposedly infected. A new scan said that the virus was still present. Any suggestions? Phil P.S. I installed the Perfect Process software that was mentioned in this forum earlier, and it did not detect any spyware on my drive.

CalamityJane

Security Expert
Microsoft MVP

Joined: Oct 05, 2002
Posts: 4004

Posted: Sat Nov 15, 2003 7:55 pm Post subject:

Hi Phil, An you post a copy of the log report from NAV so we can see the exact path the file it is flagging? You should also do the following so we can see exactly what is running on your system: Download Hijack This! http://www.tomcoyote.org/hjt/ Unzip, doubleclick HijackThis.exe, and hit "Scan". When the scan is finished, the "Scan" button will change into a "Save Log" button. Press that and copy & paste its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet. Someone will be along to tell you what steps to take after you post the contents of the scan results.

slope

Cadet
Cadet

Joined: Nov 15, 2003
Posts: 4
Location: USA

Posted: Sat Nov 15, 2003 9:43 pm Post subject:

Thanks for the reply. I realized that NAV does refer to susp.exe. The NAV message says: The compressed file susp.exe in Local Settings/Temp/susp.cab is infected with the download.torjan virus. Logfile of HijackThis v1.97.6 Scan saved at 1:48:39 PM, on 11/15/2003 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\System32\cisvc.exe C:\WINDOWS\System32\CTsvcCDA.EXE c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE C:\WINDOWS\System32\nvsvc32.exe C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\devldr32.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\Winamp\Winampa.exe C:\Program Files\Dell\Support\Alert\bin\DAMon.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\LinkStash\lsmon.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\EarthLink TotalAccess\TaskPanl.exe C:\Program Files\AdSubtract\adsub.exe C:\Program Files\America Online 7.0\aoltray.exe C:\WINDOWS\System32\wuauclt.exe C:\hijackthis\HijackThis.exe C:\Program Files\Messenger\msmsgs.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie/button/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=AdSubtract:4444 N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Philip Mattera\Application Data\Mozilla\Profiles\default\0htdc8yv.slt\prefs.js) O2 - BHO: (no name) - {00000273-8230-4DD4-BE4F-6889D1E74167} - C:\WINDOWS\host.dll O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe" O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe" O4 - HKLM\..\Run: [Dell\|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [susp] C:\WINDOWS\susp.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [LinkStashMonitor] "C:\Program Files\LinkStash\lsmon.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -noauth O4 - Startup: LinkStash.lnk = C:\Program Files\LinkStash\lnkstash.exe O4 - Global Startup: AdSubtract.lnk = C:\Program Files\AdSubtract\adsub.exe O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Net2Phone (HKLM) O9 - Extra 'Tools' menuitem: Net2Phone (HKLM) O9 - Extra button: Real.com (HKLM) O9 - Extra button: MoneySide (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {10000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/SS4J8105/screen.cab O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://www.newsstand.com/downloads/Disk1/isetupml.cab O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://www.pdc.wa.gov/viewer/activeXViewer/activexviewer.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/triggernews/ForbesDownloaderSigned.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{47AF36CC-83FF-4C6E-92E0-067A0C40A97F}: NameServer = 207.69.188.186,207.69.188.187

TonyKlein

Site Moderator
Microsoft MVP

Joined: Oct 15, 2002
Posts: 13120
Location: Netherlands

Posted: Sat Nov 15, 2003 10:02 pm Post subject:

First, would you please send a copy of the C:\WINDOWS\susp.exe file to submit-stuffATxs4all.nl for analysis, please? (please replace "AT" in that e-mail addy by the familiar @ ) for analysis, please? This is a pretty recent baddie, and we'd like to have a closer look at it! TIA! Next, in Hijack This, check ALL of the following items. Doublecheck so as to be sure not to miss a single one. Next, close all browser Windows, and have HT fix all checked. O2 - BHO: (no name) - {00000273-8230-4DD4-BE4F-6889D1E74167} - C:\WINDOWS\host.dll O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe O4 - HKLM\..\Run: [susp] C:\WINDOWS\susp.exe O9 - Extra button: Net2Phone (HKLM) O9 - Extra 'Tools' menuitem: Net2Phone (HKLM) O16 - DPF: {10000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/SS4J8105/screen.cab _________________ Tony CLSID List

slope

Cadet
Cadet

Joined: Nov 15, 2003
Posts: 4
Location: USA

Posted: Sun Nov 16, 2003 3:18 pm Post subject:

I made the Hijack This changes, but NAV is still claiming that downloader.trojan is infecting a file that I don't think exists any longer on my machine. Out of curiousity, I ran McAfee--and it did not detect the virus. I am inclined to believe that there is a glitch with NAV and will contact Symantec to get their opinion. Phil

TonyKlein

Site Moderator
Microsoft MVP

Joined: Oct 15, 2002
Posts: 13120
Location: Netherlands

Posted: Sun Nov 16, 2003 3:21 pm Post subject:

What is the name of the file NAV tags as that trojan, and what location is it at exactly?

Bell

Cadet
Cadet

Joined: Nov 17, 2003
Posts: 7
Location: USA

Posted: Mon Nov 17, 2003 4:09 pm Post subject: downloader.trojan

Hey I just downloaded the hijack this program and ran it and now I have my log I've saved, where do I post it?

TonyKlein

Site Moderator
Microsoft MVP

Joined: Oct 15, 2002
Posts: 13120
Location: Netherlands

Posted: Mon Nov 17, 2003 4:16 pm Post subject:

Bell, your HijackThis Log has been moved to it's own thread in the Antivirus forum. You can find it here: /t7786-Bells_Hijack_This_log.html Anyone else reading this thread, please post a new topic of your own,and do not add to this thread. That would make things very confusing indeed. _________________ Tony CLSID List

	All -> FavForums -> Trend Micro HijackThis Logs	All times are GMT
Page 1 of 1

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


	2002-2008 � Computer Cops LLC dba CastleCops®. All rights reserved. Acceptable Use Policy. Use signifies your agreement. 112ppm 3.956s (3.554s) Making cybercriminals unhappy since 2002*